Support Azure AD tenant-specific authorization

My use case is I have added contractors to my Azure AD as guest accounts, but these users cannot log in to SonarCloud to view analysis reports.

After a lot of digging, I’ve concluded that Azure AD guest user accounts cannot log in to SonarCloud via Azure DevOps unless that guest account happens to reside in its own properly configured AD tenant. This is largely due to SonarCloud using the Microsoft common authorize endpoint for this login method which does not support guest accounts. This means that, when users log in to SonarCloud with Azure AD credentials, they’re logging in against their tenant, not mine. In the case of my contractor guest account users, they most likely have what Microsoft refers to here as “just-in-time” tenants that have not been configured or validated with their email domain, which causes login issues as I’ve detailed in the topic linked below.

My desired workflow, if possible:

  1. at least one member of the host/parent active directory needs to log in to SonarCloud with Azure DevOps/AD to create an organization.
  2. I’d suspect that you can get my Azure AD tenant Id from my user token, based on a Soncarcloud application is being added to my Azure AD tenant, but if not I would be happy to provide it in the organization settings and/or specify that my organization’s users will be logging in via Azure AD
  3. if users navigate directly to https://sonarcloud.io/organizations/[my org], instead of a 403 (as it currently does), could you query if my organization has been configured for Azure AD, query my organization’s tenant id, and redirect the user to the tenant-specific authorize endpoint instead of the common one? This would allow me, as an admin, to control user access to sonar through my AD.

Additionally, if a user goes through this workflow and successfully logs in, you could confidently auto-add them to my SonarCloud organization, which I have seen is another ask from users.

For reference, I have a question related to this feature request that triggered all this research that may be found here:

This may force me to cancel SonarCloud in favor of SonarQube, but I really don’t want to take on all of the operational overhead associated with that. So, if there’s anything I can do to help or if you need a guinea pig customer to help out, please let me know.

Thanks for the details Brian, I’m logging this in our backlog. I hope we can do something about it when Microsoft has released the new version of their Auth library - which we’ll want to use to fix various limitations we currently have.

Hi @engenb,

We recently made improvements on Microsoft Authentication, and, not only supporting personal account, we support the full MSAL system, with V2 authorization endpoint, which might help you in what you want to achieve.

Could you please test again and let us know ?

Thank you very much !

Mickaël

Sorry for not getting back to you @mickaelcaro - I lost track of this!

My Azure AD guest accounts are still unable to log in. The problem, as I see it, is sonar is logging them in through their personal AD tenant that was created with their Microsoft account instead of through my tenant with which they’ve been added as a guest and provisioned access to the registered Sonarcloud enterprise app.

here’s an example of the error message they get:

Reason: invalid_client, AADSTS650051: Using application ‘Sonarcloud’ is currently not supported for your organization xdsol.com because it is in an unmanaged state. An administrator needs to claim ownership of the company by DNS validation of xdsol.com before the application Sonarcloud can be provisioned. Trace ID: d7277a90-22dc-4625-b398-7b2d0316a800 Correlation ID: 046b1597-a77e-49a9-857e-cbacd09b8c04 Timestamp: 2019-12-17 15:42:38Z

With the changes you’ve made, is there something additional I need to configure?

For now, we’re working around this by setting them up with GitHub accounts and having them log in that way, but this is not ideal.

Thanks for following up!

Hi @engenb

Thank you for your feedback !

After doing some researches around the error that you get, it seem that the domain is not registered as a custom domain on your Azure AD (see docs here)

May i ask you to have a look at that part and let me know ?

Thank you.

Mickaël

@mickaelcaro, the domain from that example, xdsol.com, is not configured as a custom domain in my ad tenant and I don’t intend to add it. my users that cannot get into sonar are guest accounts for some contractors we’re working with, with their own email addresses. xdsol.com is not my company’s domain. We actually did try adding the custom domain xdsol.com to one of my guest users’s “just in time” tenants (their personal azure tenant created with their personal account) but that did not resolve this issue.

Ok thanks for the clarification !

Are they Azure AD guests, or Azure DevOps guests ? Or both ?

They are Azure AD guest accounts, @mickaelcaro. When they log in to our Azure Devops, our org in DevOps is configured to use our AD tenant, so devops redirects them to our tenant-specific login.

I think the difference here is, sonar redirects users to the common ms auth endpoint. it’s not likely using MY tenant to log them in. I believe the common endpoint will log them in through THEIR tenant. the problem there is, none of the access I’ve set up in my tenant is evaluated. For example, it’d be great if I could assign group(s) in AD to the sonarcloud app and let AD evaluate if an AD user has access to sonar or not. currently, all of this is done in Sonar.

there’s nothing in sonar that lets me configure “my org is using AD.” for example, if I log out of sonar and then browse directly to my sonar org (https://sonarcloud.io/organizations/leasecrunch) I do not get redirected to my tenant-specific auth, which I think is odd. instead, I get a 403 error

Indeed we are using the common endpoint ,because we want to bring access to SonarCloud to users who have Azure AD but personal and social accounts as well.

Microsoft Identity is used only to login / register, then SonarCloud accounts (just usernames) are then used to identity a person in organization, so, as long as we don’t have any binding for now between SonarCloud organization and Azure DevOps organization, the behavior that you have is expected.

I’ll try to find some answers to your use case and get back to you.

Thanks !

Ok, thanks @mickaelcaro.

With the understanding that sonar is logging these guest accounts in through their personal MS accounts, I had one of my contractors log into their personal azure portal and add his xdsol.com custom domain to his ad tenant.

after doing this, this user still cannot log into sonar

We plan to implement this, you can track it here: SCCOMM-5